Re: win 2000 file encyption

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 01/30/04 

Date: Thu, 29 Jan 2004 17:27:51 -0800

Security isn't a game of absolutes if you want a useful machine.

Yes, the keys are on the HD. They're in that user's profile. They're
encrypted by DPAPI, which through a series of keys encrypting other keys
ultimately encrypts a key with the user's SID and password. So if you want
EFS to be more secure, use a strong password.

Yes, there would be some value in removing the keys, but the user experience
would suck. It would flow like this:
1. Ok - I'm done on this machine now - I'll export my cert with private key,
put them on a floppy if I haven't already done so, and delete them on the
HD.
2. That material might still be on the disk even though I deleted it - I
should scrub my drive.
(half and hour later)
3. Ahh - I can finally log off.
(back at the machine the next day)
4. Time to log on and do some work. Where's that floppy?
(if floppy is lost so is the data, otherwise continue)
5. Here's the floppy! Import the certificate with private key.
6. Put the floppy in a safe so that someone else doesn't get the key pair.
7. Work's over! Time to go back to #1.

The key on a USB dongle or a smartcard might make sense, but we don't
currently offer that capability. 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Richard Jake" <sorry@sorry.com> wrote in message
news:bvc7qo$q2c$1@jura.cc.ic.ac.uk...
> I have setup an encrypted folders on a laptop running win2000.
>
> What I am concerned about is that both the encryption keys and the
encrypted
> files must be on the HD disk somewhere. In which case if the laptop was
> stolen and someone transfered the HD to there PC, surely all the
information
> (keys + files) for de-encryprting the files will be available to them.
>
> Surely for it to be secure one of the keys must be kept external to the
> laptop.
>
>
>
>
>

Relevant Pages

  • RE: Built-in encryption questions
    ... this folder private". ... > I tried encrypting a folder and its contents and noticed it changes all the ... I see there are such things as recovery keys. ...
    (microsoft.public.windowsxp.general)
  • Re: [RFC] Encrypting file system
    ... slightly more ambitious user specifications such as: per-file random ... secret encryption keys which are in-turn encrypted using the public ... Since you are talking about an encrypting filesystems but only ...
    (Linux-Kernel)
  • Re: win 2000 file encyption
    ... the keys are on the HD. ... which through a series of keys encrypting other keys ... Where's that floppy? ... In which case if the laptop was ...
    (microsoft.public.win2000.security)
  • Re: [RFC] Encrypting file system
    ... slightly more ambitious user specifications such as: ... secret encryption keys which are in-turn encrypted using the public ... Since you are talking about an encrypting filesystems but only ... At least one of the encrypting block devices you mentioned (I don't ...
    (Linux-Kernel)
  • Re: My experiences with a Dell D620 Laptop. Part 1.
    ... This post is to show Mac Users just what they are missing compared to a 9 month old PowerBook G4/15.4/1.6Mhz and a white MacBook. ... On a number of occasions I've opened up the machine only to find the battery is drained or find a very hot laptop in my bag. ... It has a rather tacky looking two-tone appearance around the keyboard and trackpad with the keys being a different colour to the inner silver 'ring'. ... Why couldn't these go underneath with the WIndows XP license label? ...
    (comp.sys.mac.advocacy)